Download PDF Version of the May Smart Card Talk.

Smart Card TalkMay 2013 • a Smart Card Alliance ePublication • Volume 18 : Issue 5Sincerely,Randy VanderhoofExecutive Director, Smart Card AllianceActing Director, EMV Migration ForumClick Here to Read Letter ...Dear Members and Friends of the Alliance,One of the most valuable insights about the many applicationsand uses for NFC I received from listening to the experts at thismonth’s NFC Solution Summit 2013 Conference in San Franciscowas simply this: we need to listen to and focus on theconsumer experience first. Whether it has to do with a mobilepayments transaction, a coupon offer, a gaming experience,or some other interaction with an expected half billion NFCenabledportable devices to hit the market next year, focusingand listening to the needs of the consumer is critical. My letterin this month’s issue of Smart Card Talk recaps the event andthe interesting insights conveyed by speakers and panelists. Ifyou have feedback, please feel free to contact me. Thank you foryour support of the Smart Card Alliance.In This Issue:2 Executive Director Letter >>3 Latin America Letter >>4 Member Profile >>6 Feature Article >>10 Council Reports >>On the Web:Members in the News >>Alliance in the News >>Event CalendarFeature Article:Smart Healthcare Cards:Facilitating Compliance withMeaningful UseSmart card and patient identity technologiescan provide a modular electronic health recordsolution and meet HITECH and meaningfuluse requirements. This month’s articleprovides an overview of eight areas in whichsmart card technology can assist healthcareorganizations with meaningful use compliance.Click to Read More …Member Profile:XTecThis month Smart Card Talk spoke withKevin Kozlowski of XTec Incorporated.As Vice President with responsibilities forestablishing XTec as a premier securityprovider for the federal government andcommercial arenas, Kozlowski has been instrumentalin overseeing cabinet-level smartcard systems deployments, contributing tofederal smart card publications and providingsecurity and authentication guidance tonumerous federal agencies.Click to Read More …2013 Government ID SecurityConferenceOct. 15-16, 2013Walter E. Washington Convention Center,Washington, DCSmart Card Alliance MemberMeeting (new!)December 8-10, 2013Biltmore Hotel, Coral Gables, FL

member profileThis month Smart CardTalk spoke with KevinKozlowski of XTec Incorporated.As Vice Presidentwith responsibilitiesfor establishing XTec as apremier security providerfor the federal governmentand commercialarenas, Kozlowski hasbeen instrumental inoverseeing cabinet-levelsmart card systems deployments,contributingto federal smart card publications and providing securityand authentication guidance to numerous federal agencies. Amember of the Smart Card Alliance Access Control Council,he has more than 20 years of experience in the informationtechnology industry, as well as a wide range of experiencein sales, marketing, engineering, and business leadership.Prior to joining XTec, Kozlowski was a Senior Manager withNorthrop Grumman Information Technology, where he providedoversight and management of the combined Logiconand Litton-PRC smart card practice. Kozlowski holds a Bachelor’sdegree in Finance and Economics from James MadisonUniversity and is a Certified Smart Card Industry Professionalin Government (CSCIP/G).1. What is XTec’s main business profile andofferings?At XTec, our focus is authentication – strong, cryptographic authentication.It’s essential for securing facilities and data andessential for fighting fraud. Everything else is peripheral. Oursolutions support rapid, electronic authentication, which detersfraudulent credentials and allows organizations to maintain thetempo of regular operations.Authentication differentiates our AuthentX products and services,which provide identity management capabilities and accesscontrol for an array of government customers. In fact, we are oneof the largest HSPD-12 infrastructure providers in the U.S. government;XTec supports more than 70 federal agencies.Our solutions also reach beyond the federal arena. State and localgovernments, the financial industry, and the health care industrynow look to XTec to help them achieve interoperability and combatfraud.2. What role does smart card technology play inyour business?For the past several years, XTec and the larger smart card markethave grown in tandem. And while we both pre-date HSPD-12, wehave been similarly energized by the directive. That’s because itarticulates a clear, post-September 11 conclusion about security inAmerica and America’s government: sound, interoperable credentialingis essential, and the smart card is our best bet.Granted, many competitors and colleagues in the industry cantrack their growth to the expansion of smart card use after HSPD-12’s issuance. XTec is not unique in that respect. What is unique,however, is XTec’s dynamic combination of smart card technologyand authentication. For XTec, smart cards provide the idealvehicle for quickly conducting electronic authentication for accessto a facility or application. For that very reason, we engineered oursolutions based upon smart card use and for cryptographic operations.The smart-card based design also offers assurance to our customers.We didn’t contort our solutions to meet HSPD-12; the twowere compatible from the start, largely because of their incorporationof smart card technology. And as a result, we do not struggleto adapt to new standards. Our technology evolves seamlesslyalong with the smart card industry itself and with the changingstandards that shape it. Our customers can depend on that.3. What trends do you see developing in yourmarket?We see two main trends taking shape: the demand for PIV-I andgrowing interest in cloud-based solutions.4 Smart Card Talk

PIV-I - After completing the PIV-I certification process, we knewthe technology had significant potential. But last year alone, wesaw interest in PIV-I capabilities explode. Many companies andnon-federal governments are lured by proven, open-standards PIVtechnology. And I think the primary reason is security. These areenterprises that understand more every day: “Hey, the old username-passwordmethod just isn’t viable in today’s world.” Theywant high-assurance credentials.Some want to interoperate with the federal government, but others– such as those in the health care and financial services sectors– simply want technology that offers federal governmentlevelsof security. And PIV-I is where these needs intersect.Cloud - More customers are expressing interest in the benefitsof cloud applications and infrastructure. They want the cost savings,and they like the idea of offloading responsibility for servermaintenance. We support those goals; having a secure, hosted infrastructureis more efficient, cost-effective, and reliable. We justremind these customers that authentication should remain a corepart of their access control process, regardless of where it’s hosted.After all, reducing costs at the expense of security is not a trade-offwe or our customers are willing to make.4. What do you see are the key factors drivingsmart card technology in government andcommercial markets in the U.S.?The very nature of electronic transactions will shape smart cardtechnology in today’s markets. What I mean is this: with electronictransactions you see a competition between the advances our technologyoffers and the savvy of those who want to undermine orharness that technology for their gain. We see this everywheretoday – whether you yourself have been a victim of identity theftor an unauthorized person has penetrated a government applicationor a critical infrastructure component. It’s widespread. Andthe solutions we develop must be stronger than the abilities of thecriminals we face.We have several ways to approach these problems; not all involvea smart card. But we must recognize that a username-passwordapproach isn’t viable, not with such high stakes. Because no matterhow much security you encase it with, a username-passwordcombination is a knowledge-based approach. It’s inherently vulnerable.5. What are some of the challenges you seeconfronting the smart card technology industry?Education on smart cards is our primary challenge as an industry.Within the federal government, most people understand at leastthe value of smart cards, even if they don’t recognize the full rangeof capabilities. But beyond the federal government is an array ofindustries and local government entities that need the security thatsmart cards offer. They just don’t know enough about it.I would say education efforts should focus on three key facts: First,smart card technology is privacy enhancing; it is intertwined withan existing trust infrastructure. Second, it can be user friendly aswell as mobile. Implementation and use are not onerous processes.Third, when implemented as an enterprise solution, smart cardtechnology offers a notable return on investment.If more non-federal enterprises knew these facts, I think adoptionof smart card technology would be even more widespread.6. What type of measurable impact has the SmartCard Alliance and/or Councils made in yourcompany’s business?The Smart Card Alliance has been an invaluable resource for industrycollaboration. Although the smart card market is biggerthan ever, it still maintains a niche feel. That common bond ofspecializing in a targeted technology unites Smart Card Alliancemember companies and allows the group to remain focused andto continue providing value to its members.The Alliance is also a significant source of employee education forXTec. More than 40% of our employees have completed the LEAPCertified Smart Card Industry Professional (CSCIP) program. Wefind that proven, measurable competence in our field is compellingfor both current and potential customers.Member Point of Contact:Kevin KozlowskiVice President, XTec Incorporated, www.xtec.comkkozlowski@xtec.com(703) 547-3524Smart Card Talk 5

feature articleSmart Healthcare Cards:Facilitating Compliance with Meaningful UseMeaningful use of health information technology is an umbrellaterm for rules and regulations with which hospitals and physiciansmust comply to qualify for federal incentive funding under theAmerican Recovery and Reinvestment Act of 2009 (ARRA). [1]ARRA authorizes the Centers for Medicare and Medicaid Services(CMS) to provide reimbursement incentives for eligible professionalsand hospitals that meet meaningful use criteria on the wayto becoming “meaningful users” of certified electronic health record(EHR) technology. Meaningful use includes using EHR technologyfor functions that both demonstrate and improve quality ofcare, such as e-prescribing, electronic exchange of health information,and submission of quality measures to CMS.Meaningful use sets healthcare goals, rather than goals for informationtechnology. The overall goals are to use EHR technologyfor the following:1. Improve quality, safety, and efficiency of patient care2. Engage patients and families3. Improve care coordination4. Ensure adequate privacy and security for personal healthinformation5. Improve population and public healthHospital LOGO & NamePatientSUSAN B JONES-SMITHConfidential Patient ID808400 123456 789012Provider (80840)1234 567 893DOB 11/14/1978Issued 5/14/10health information securely over the internet with theirfamilies.• The Stage 2 rules document includes:• Minor changes to Stage 1 criteria and measures• Additional requirements and measures for achieving Stage 2• Additional clinical quality measures• Additional reporting requirements and mechanismsImplementation of meaningful use and incentive payment opportunitiesextends until at least 2020, with incentives decreasing overtime to encourage early adoption of EHR technology.Smart cards can make critical information readily available tohealthcare providers and facilities, which positively affects thequality, accuracy, and cost of care. Current technology supportssmart card solutions that can integrate with current provider systemsusing the cloud and HL7 messaging. Health informationcan be exchanged among providers and across systems, makingkey health information mobile and facilitating coordination ofcare. This same technology also allows healthcare informationto be transformed into a standardized electronic format that canbe accessed by patients and their families through secure patientportals.Implementation of meaningful use is occurring in multiple stages.Stage 1 implementation requirements and measures are documentedin the Department of Health and Human Services FinalRule of July 28, 2010.The Department of Health and Human Services’ Office of the NationalCoordinator (ONC) states that EHRs provide the followingbenefits for providers and their patients: [2]• Complete and accurate health information.• Better access to health information.• EHRs facilitate access to the information that providers needto diagnose health problems earlier and improve the healthoutcomes of their patients. EHRs also allow information tobe shared more easily among doctors’ offices and hospitalsand across healthcare systems, leading to better coordinationof care.• Patient empowerment.• EHRs empower patients to take a more active role in theirhealth and in the health of their families. Patients can receiveelectronic copies of their medical records and share theirSmart card and patient identity technologies can provide a modularEHR solution and meet Health Information Technology forEconomic and Clinical Health (HITECH) and meaningful use requirementsin eight areas:• Streamline patient registration and discharge• Fulfill government requirements for confirming identityverification• Increase patient privacy and security• Prevent record duplication• Provide consistent branding across an organization andbeyond• Serve as a real-time, portable mini-EHR• Provide first responders with potentially life-savinginformation• Satisfy HIPAA compliance requirementsStreamline registration and discharge. Use of a smart healthcarecard for registration or admission allows healthcare organizationsto decrease patient wait times, improve the quality of care, andheighten efficiency by confirming a patient’s identity, registering orchecking the patient in, and verifying insurance instantly. Because6 Smart Card Talk

the process does not rely on human data entry or transcription, errorscan be virtually eliminated. Use of a smart healthcare card atdischarge allows the system to recognize a patient’s identity, matchit to the visit, update the card with demographic and medical information,update a patient data portal with required discharge information(e.g., follow up appointments, medication information,education, instructions, activity requirements, dietary care), andtrigger transmission of any required educational materials to thepatient’s e-mail address.Meet government identity verification requirements. Smartcard technology is currently used for the Department of DefenseCommon Access Card (CAC), the Federal Information ProcessingStandard (FIPS) 201 Personal Identity Verification (PIV) card(issued to all Federal employees and subcontractors), the TransportationWorker Identification Credential (TWIC), and the U.S.electronic passport. Using standards such as FIPS 201, smart cardscan provide single sign-on solutions to EHRs for government-employedmedical personnel, such as physicians and nurses.Increase patient privacy and security. Smart card solutions canmeet or exceed all mandates and requirements for patient privacy,safety, records, system security, and confidentiality. All smart carddata can be encrypted, and all data transmitted can comply withapplicable standards (e.g., HL7, SnoMed, and ISO/IEC). Medicareand Medicaid data and statistics can be maintained per federal requirements.[3]Smart cards integrated with an identity softwaresolution can also support automated time-based reporting andreview of patient data, protecting healthcare information with encryptionalgorithms that allow access only by authorized readers.Smart cards can support multi-factor authentication, which satisfiesrequirements such as those for e-prescribing, and can providestrong authentication, digital signatures, and security through encryption.Prevent record duplication. Smart cards can significantly decreasethe incidence of duplicate records and the associated expense.Linking a patient to that patient’s health records seemsa simple process, but human error, such as transcription of thewrong medical record number, can retrieve an incorrect recordor cause creation of a duplicate record because the correct recordhas not been located. Using authenticated identifiers on a cardcan match a patient to that patient’s individual medical record, improvingadministrative functions such as billing and registrationand enhancing continuity of care.Provide consistent branding.While smart cards can provide asingle tool for patient identitymanagement, they also provideSmart Card Talk 7

healthcare organizations and affiliations with the opportunity tobuild stronger community alliances between healthcare organizations,integrated delivery networks, hospital systems, providernetworks, and auxiliary services. Coupled with identity software,smart cards can replace multiple cards (e.g., insurance IDs, allergycards, registration cards) that a patient or consumer would otherwisehave to carry to be known throughout the organization.In addition, there are smart card solutions that make the patient’shealthcare provider of record immediately known and recognizedto other members of the healthcare community, such as pharmacies,durable equipment providers, and others.Serve as a real-time EHR. Smart cards can contain encryptedpatient demographic information, such as name, date of birth,height, weight, and body mass index (BMI), as well as other keyinformation. In addition, a smart card can store key health datacomponents such as current medications, allergies, immunizations,a conditions or problem list, smoking status, surgeries, andhospitalizations. Smart cards can also be configured to store patientinformation such as implanted devices, artificial valves, defibrillators,advance directives, and organ donation status. Unlikestandard EHRs, a smart card is mobile and goes with the patient.Provide first responders with critical information. In an emergency,smart cards can enable first responders using a simpleportable reader to identify a patient immediately and access thepatient’s medical record, regardless of whether the patient is conscious,is emotionally or physically able to convey the entire medicalpicture accurately, or has language barriers that impede effectivecommunication.Satisfy HIPAA compliance requirements. Smart healthcarecards offer entities covered under HIPAA an effective tool to facilitatecompliance with the HIPAA Privacy Rule. One of the key provisionsof the HIPAA Privacy Rule is to assure that an individual’shealth information is properly protected and that individuals cancontrol how their health information is accessed and used. Providinghealthcare organization employees as well as patients withsmart healthcare cards can help ensure that health informationis accessed only by those with the appropriate credentials. Manyrecent high-profile breaches of protected health information occurbecause data is kept on unsecured, unencrypted devices suchas CDs and USB flash drives, or because entities have been ableto access medical records without proper authorization. A smarthealthcare card can minimize or eliminate such breaches usingembedded secure chip technology, encryption, and other cryptographymeasures that make it extremely difficult for unauthorizedusers to access or use information on the smart card or to createduplicate cards. These capabilities help protect patients fromidentity theft, protect healthcare institutions from medical fraud,and help healthcare providers meet HIPAA privacy and securityrequirements.8 Smart Card TalkIn summary, smart healthcare cards can better position healthcareorganizations and providers for meaningful use of EHRs, while addressingmany of the security and privacy challenges that comewith EHRs and health data exchanges.References and Notes[1] Meaningful use is a broad topic. For more information,follow the links to “EHR Incentives” at The Centers forMedicare and Medicaid Services Web site: https://www.cms.gov. Dr. John Hamalka’s blog (http://geekdoctor.blogspot.com/2011/01/bookmarked-final-rules.html) contains bookmarkedversions of the CMS final rules. Additional resourcesare the Healthcare Information and Management Society(HIMMS), “Meaningful Use One Source,” http://www.himss.org/ASP/topics_meaningfuluse.asp.[2] “What Is Meaningful Use?,” HHS HealthIT.gov web site,http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__meaningful_use_announcement/2996[3] http://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Information-Security-Library.html. CMS has defined 11 informationtypes processed by CMS information systems. Foreach information type, CMS used FIPS 199 to determine anassociated security category. CMS also used OMB M-04-04to determine each information type’s e-Authentication assurancelevel.About this ArticleThis article is an extract from the Smart Card AllianceHealthcare Council publication, Smart Card Technologyin U.S. Healthcare: Frequently Asked Questions. The FAQwas developed to provide an easy-to-use resource for understandinghow smart card technology is used for healthcareapplications and for discussing the benefits that smarthealthcare cards deliver to patients, healthcare providers andhealthcare payers. Healthcare Council members participatingin the development and review of the FAQ included: ABnoteGroup; CSC; Datacard Group; Eid Passport; Gemalto;LifeMed ID, Inc.; Oberthur Technologies; OTI America; RMIndustries; SafeNet Inc.; SecureKey Technologies; WatchdataTechnologies USA; XTec, Inc.About the Smart Card Alliance HealthcareCouncilThe Smart Card Alliance Healthcare Council brings togetherpayers, providers, and technologists to promote the adoptionof smart cards in U.S. healthcare organizations. The HealthcareCouncil provides a forum where all stakeholders cancollaborate to educate the market on the how smart cardscan be used and to work on issues inhibiting the industry.

Welcome New Members• Hillsborough Transit Authority, Government• ImageWare Systems, Inc., General Member• Intelligent Parking Concepts LLC, Associate Member• IPS Group, Inc., General Member• STMicroelectronics Ltda., SCALA, GovernmentNew CSCIP Recipients• Jamie Chang, Deloitte & Touche LLP• Vamsi K. BondadaVenkata, Deloitte & Touche LLP• Brenda Sutton, Deloitte & Touche LLP• John Ward, Deloitte & Touche LLPFor more news, visit our website at www.smartcardalliance.org.Members can also access white papers, educational resources and other content.from the alliance office191 Clarksville RoadPrinceton Junction, New Jersey 085501.800.556.6828Fax: 1.609.799.7032info@smartcardalliance.orgwww.smartcardalliance.orgAbout Smart Card TalkSmart Card Talk is the monthly e-newsletterpublished by the Smart Card Allianceto report on industry news, informationand events and to provide highlights of Allianceactivities and membership.About the Smart Card AllianceThe Smart Card Alliance is a not-for-profit,multi-industry association working tostimulate the understanding, adoption, useand widespread application of smart cardtechnology.Smart Card Talk 9

council reportsUpdates from the Alliance Industry CouncilsAccess Control• The Access Control Council is working on a projectto provide comments to the U.S. Coast Guard on theTransportation Working Identification Credential ReaderRequirements Notice of Proposed Rulemaking (NPRM).• The Council is developing comments to submit to NIST onthe draft Special Publication (SP) 800-73-4, Interfaces forPersonal Identity Verification.Healthcare• The Healthcare Council is collaborating with the Workgroupfor Electronic Data Interchange (WEDI) Health ID Card Subworkgroupto provide input on smart cards and biometricsfor a WEDI research paper.• The Council is developing comments to respond to the Senaterequest for feedback on federal progress promoting healthinformation technology adoption and standardsIdentity• The Identity Council is developing a white paper on smartcard technology and NSTIC. The goal of the white paper isto raise awareness of the benefits of smart card technologyand show how smart card technology can be used for highassurance credentials in the NSTIC identity ecosystem.• The Council is completing a cross-council white paper projecton supporting the PIV application on mobile devices with theUICC.Mobile and NFC• The Mobile and NFC Council held two successful webinarsto complete the series on mobile/NFC security fundamentals.The third webinar, “NFC Forum Tags and SecurityConsiderations,” was held on April 18 th , with presentationsfrom Tony Rosati (NFC Forum Security Work Group &Blackberry), Joe Tassone (Identive), Mike Zercher (NXPSemiconductors), and Rob Zivney (Identification TechnologyPartners). The fourth webinar, “NFC Application UseCases: Security Considerations,” was held on May 9 th andfeatured presentations from Tony Sabetti (Isis), ChristianAli (SecureKey Technologies), Jonathan Main (NFC Forum/MasterCard), and Steve Rogers (IQ Devices). Webinarrecordings are available at http://www.smartcardalliance.org/pages/activities-events-mobile-nfc-security-fundamentals.10 Smart Card Talk

• The Mobile and NFC Council held a well-attended in-personmeeting at the 2013 NFC Solutions Summit on May 15 th . Themeeting focused on the secure credentials on mobile deviceswhite paper use cases, with presentations from the memberteams on the progress of their content.• A Smart Card Alliance workshop, “NFC Base Camp: TheFundamentals of NFC Mobile Technology and BusinessApplications,” was held at the NFC Solutions Summit onMay 14, 2013, in Burlingame, CA. Speakers included: Jean-Luc Azou (HID Global); Lanny Byers (Consult Hyperion);Mukesh Chandek (Gemalto); David deKozan (Cubic); ChrisEdwards (Intercede); Jeff Fonseca (NXP Semiconductors);Howard Hall (Consult Hyperion); Reid Holmes (INSIDESecure); Roger Hornstra (Identive); Tony Sabetti (Isis);Bart van Hoek (UL); Tom Zalewski (CorFire); Rob Zivney(Identification Technology Partners).Payments• The Payments Council is starting two new projects: a whitepaper on EMV and card-not-present fraud and a white paperon the U.S. payments landscape.• The Council held an in-person meeting at the 2013 NFCSolutions Summit on May 15 th , discussing status of Councilprojects.Transportation• The Transportation Council completed an election for theparking vice chair; Steven Grant (LTK Engineering Services)has been elected. In addition, Eric Schindewolf (Visa) hasjoined the Council Steering Committee.• The Council is starting a new white paper project on the EMVimpact on transit.Other Council Information• Members-only council web pages are available at http://www.smartcardalliance.org/councils. These are passwordprotectedpages that contain council working and backgrounddocuments and contact lists. Each Council area has aseparate password since Councils may have differentmembership policies. If you are a Smart Card Alliancemember and would like access to a council site, please contactCathy Medich.• A Council meeting calendar is available on the members-onlyweb site at http://www.smartcardalliance.org/pages/memberscouncil-resources.• If you are interested in forming or participating in an Alliancecouncil, contact Cathy Medich.Alliance Members: Participation in all currentcouncils is open to any Smart Card Alliance memberwho wishes to contribute to the council projects. Ifyou are interested in participating in any of the activecouncils, please contact Cathy Medich.Smart Card Talk 11